General

Mobile Security:
Where risk meets opportunity, Part 2:
Threats and Defenses — continued

by Lisa Phifer VP Core Competence, Inc. [July 21, 2006]

Built-in defenses
Early mobile devices were largely devoid of security measures. Most had optional PINs, but few users could be bothered to enable them. Beyond that, mobile security largely meant adding third-party solutions. Furthermore, due to their limited resources and lightweight operating systems, mobile devices were easily compromised. While attacks were relatively rare, those that existed (e.g., PalmOS/Phage) had little trouble crashing PDAs, overwriting system files, and programmatically invoking hard resets.

Fortunately, mobile operating systems have made significant security improvements in recent years. Security protocols and capabilities are being added to each new OS release, improving default posture and creating a more robust foundation for security add-ons.

Access Controls are the first line of defense against lost or stolen mobile device compromise. Many power-on locks have been augmented to deter PIN-guessing and encourage use. For example, BlackBerry protection levels can enforce minimum password lengths. Windows Mobile can render a stolen device useless without the user's SmartCard. BlackBerries and Symbian phones can be remotely locked with special messages (i.e., "kill pills"). Palm 6 beefed up its authentication manager to support third-party fingerprint readers that speed unlocking by authorized users.

Stored Data Encryption can stop private data from being lifted from an unlocked mobile device—including those that are resold without being wiped clean. Today, all major mobile operating systems include crypto services for use by programs that need to encrypt data. RC4, DES, and 3DES cipher support are common; only Palm lacks built-in AES. Devices can use these crypto services to protect sensitive system files, but (except for BlackBerry) third-party programs are still needed to encrypt user data.

Backup/Restore capabilities are important to speed recovery after device loss or failure. Centralized backup for BlackBerries is provided through BES. Most other PDAs can be backed up to a desktop with supplied programs like Microsoft ActiveSync, Symbian Sync ML, or Palm HotSync. Enabling synchronization over wireless is making mobile data backup more convenient, but all sync interfaces (whether local or remote) must be secured to stop intruders from exploiting them.

Secure Protocols authenticate communication partners and deter eavesdropping. All major mobile OSs now support web browsing over SSL. Secure browsing through a carrier's Wireless Application Protocol (WAP) Gateway is also relatively common. Symbian and Windows Mobile can encrypt e-mail exchanges with SSL/TLS, or scramble traffic to a corporate VPN using built-in IPsec. BlackBerries use proprietary encryption to scramble traffic to a corporate BES, with optional PGP or S/MIME protection for mail messages. Wireless security varies by interface, but Wi-Fi Protected Access (WPA) support is increasingly common, and most vendors are taking steps to resist Bluetooth attacks.

Authorization is improving, prompted in part by the recent rash of Bluetooth trojans. For example, the "Symbian Signed" program now helps users differentiate between legitimate digitally-signed code and unsigned software that could potentially be malware. Symbian OS 9.2 can limit the capabilities granted to unsigned programs and prevent programs from accessing each other's data. Trust/privilege level enforcement has also been added to Windows Mobile 5 and Palm OS 6.

These built-in OS capabilities have created a more secure ecosystem for mobile business applications, but they do not satisfy all mobile security requirements. Like laptops, PDAs and smartphones can be augmented with after-market security programs that fill in functional gaps and/or provide centralized control and monitoring.

In Part 3 of this series, we will explore mobile security add-ons that can be used to meet the needs of individuals, small businesses and large enterprises.

—End

< Back to page one

Mobile Security: Where risk meets opportunity, Part 1: Introduction

Mobile Security: Where risk meets opportunity, Part 2: Threats and Defenses

Mobile Security: Where risk meets opportunity, Part 3: Value-Added Security Services